Description
The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 via 'chapa_proceed' WooCommerce API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including the merchant's Chapa secret API key.
Published: 2026-02-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Patch
AI Analysis

Impact

The Chapa Payment Gateway Plugin for WooCommerce is vulnerable to a sensitive information exposure flaw that allows an unauthenticated attacker to retrieve the merchant’s Chapa secret API key. This weakness is achieved through the 'chapa_proceed' WooCommerce API endpoint, which does not enforce authentication before returning configuration data. The vendor identified the issue as a classic data‑leak scenario (CWE‑200), meaning that privileged data can be accessed by attackers with no initial credentials.

Affected Systems

All installations of the Chapa Payment Gateway Plugin for WooCommerce version 1.0.3 and earlier are affected. The plugin is a WordPress add‑on that integrates Chapa payment processing into WooCommerce stores; any WordPress site running the vulnerable plugin falls under the scope of this vulnerability.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% shows that, at the time of analysis, the probability of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the exposed API key grants full access to a merchant’s payment account, an attacker who succeeds could authorize payments, void transactions, or steal financial information. The likely attack vector is remote over the public internet via the exposed 'chapa_proceed' endpoint.

Generated by OpenCVE AI on April 22, 2026 at 15:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Chapa Payment Gateway Plugin to the latest version that removes the unauthenticated exposure of the secret key
  • If an upgrade is not immediately possible, disable or remove the Chapa plugin from the site to eliminate the vulnerability surface
  • Apply network or firewall rules to block external access to the 'chapa_proceed' endpoint until the plugin is patched or removed
  • After remediation, purge any cached or stored instances of the exposed API key from the site’s configuration and verify that rotation has occurred

Generated by OpenCVE AI on April 22, 2026 at 15:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Chapaet
Chapaet chapa Payment Gateway Plugin For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Chapaet
Chapaet chapa Payment Gateway Plugin For Woocommerce
Wordpress
Wordpress wordpress

Wed, 04 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 via 'chapa_proceed' WooCommerce API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including the merchant's Chapa secret API key.
Title Chapa Payment Gateway Plugin for WooCommerce <= 1.0.3 - Unauthenticated Sensitive Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Chapaet Chapa Payment Gateway Plugin For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:45.305Z

Reserved: 2026-01-07T19:59:46.779Z

Link: CVE-2025-15482

cve-icon Vulnrichment

Updated: 2026-02-04T16:19:00.461Z

cve-icon NVD

Status : Deferred

Published: 2026-02-04T09:15:51.033

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:45:20Z

Weaknesses